A federal judge said up to 29 million Facebook users whose personal information was stolen in a September 2018 data breach cannot sue as a group for damages.

However, users can seek better security at the social media company after a series of privacy lapses, U.S. District Judge William Alsup ruled in San Francisco. He said that neither credit monitoring costs nor the reduced value of stolen personal information was a “cognizable injury” that supported a class action for damages.

Alsup also said damages for time users spent to mitigate harm required individualized determinations rather than a single classwide assessment.

“Facebook’s repetitive losses of users’ privacy supplies a long-term need for supervision,” at least at this stage of the litigation, Alsup wrote.

On Sept. 28, 2018, Facebook disclosed that hackers had exploited software flaws to access 50 million users’ accounts, at the time considered the largest breach in the company’s history.

The social network scaled back the size two weeks later, saying 30 million users had their access tokens stolen, while 29 million had personal information such as gender, religion, email addresses, phone numbers and search histories taken.